Understanding alerts and logs
ZoneAlarm security software alert and logging features keep you aware of what’s happening on your computer without being overly intrusive, and enable you to go back at any time to investigate past alerts. Expert rule options let you track not only blocked traffic, but allowed traffic as well, giving advanced users maximum information options when customizing security rules for their environment.
About ZoneAlarm security software alerts
ZoneAlarm security software alerts fall into three basic categories: informational, program, and network. Additional alerts that may appear based on the version of ZoneAlarm security software you are using include ID Lock alerts and OSFirewall alerts.
To learn about the types of alerts that appear and how to respond to them, see Appendix A,“Alert reference,” starting on page 219.
Chapter 9: Alerts and Logs About ZoneAlarm security software alerts
Informational alerts
Informational alerts tell you that ZoneAlarm security software has blocked a communication that did not fit your security settings. The most common type of informational alert is the Firewall alert.
Figure 9-1: Firewall alert
Informational alerts don’t require a decision from you. You can close the alert by clicking OK at the bottom of the alert. By doing this you are not allowing any traffic to access your computer.
Program alerts
Program alerts ask you if you want to allow a program to access the Internet or local network, or to act as a server. Program alerts require an Allow or Deny response. The
The IP address of the computer that sent the blocked packet, the protocol that was used, and/or the port to which the packet was addressed.
The date and time the alert occurred.
The number of alerts that have occurred since the alert box opened. Use the arrow controls to view the alerts.
28th of 74 alerts
Click More Info to submit alert data to SmartDefense.
For quieter security, select this check box before clicking OK.
Chapter 9: Alerts and Logs About ZoneAlarm security software alerts
most common types of Program alerts are the New Program alert and Repeat Program alert.
Figure 9-2: New Program alert
By clicking Allow, you grant permission to the program. By clicking Deny, you deny permission to the program. If SmartDefense Advisor is set to “Auto,” Zone Labs security software issues Program alerts only if no automatic setting is available. If you choose Remember this setting in a Program alert when allowing or denying program access, Zone Labs security software keeps your setting unless SmartDefense Advisor comes out with a different setting, or until you change the setting manually in the Programs tab. If you do not choose Remember this setting, Zone Labs security software will issue another Program alert the next time the program attempts the same action.
The name of the program that is requesting permission.
The filename of the program that requested permission, and the IP address and port num-ber of the computer that the program is trying to contact.
When available, this area displays program advice. If no advice is available, click More Info to submit alert data to SmartDefense Advi-sor.
Select this check box before clicking Allow or Deny to avoid seeing an alert for this program again.
Chapter 9: Alerts and Logs About ZoneAlarm security software alerts
New Network alerts
New Network alerts occur when you connect to any network—be it a wireless home network, a business LAN, or your ISP’s network.
Figure 9-3: New Network alert
The type of network (wireless or other), IP address, and subnet mask of the detected network.
Type a name of the network here. This name appears in the Zones tab so that you can recognize the network later.
Select the Zone in which to place the new network. Put the network in the Trusted Zone only if you know that it is your home or busi-ness LAN and not your ISP.
For more help configuring your net-work, access the Network Configu-ration Wizard.
Click OK to place the
network in the selected Zone and close the alert box.
Chapter 9: Alerts and Logs About ZoneAlarm security software alerts
ID Lock alerts
If they have enabled the ID Lock feature, users of ZoneAlarm Pro and ZoneAlarm Security Suite may see ID Lock alerts if the personal information stored in myVAULT is sent to a destination that is not listed on their Trusted Sites list.
Figure 9-4: ID Lock alert
By clicking the Yes button, you grant permission to send the information to the requesting IP address. If you do not want to be alerted the next time myVAULT data is sent to this destination, select the “Do you want to remember...” check box to add the destination to your Trusted Sites list.
OSFirewall alerts
There are three types of OSFirewall alerts that you may see: High-rated Suspicious alert, Medium-rated Suspicious alert, and Malicious alert. These alerts inform you that
The description of the information being sent.
This area displays the application trying to send the information and the IP address of the computer it’s being sent to.
Select this check box to add this destination to your Trusted Sites list.
Click More Info to submit alert data to SmartDefense
Chapter 9: Alerts and Logs About ZoneAlarm security software alerts
ZoneAlarm Security Suite has detected a program on your computer performing an action that could be harmful to your data or computer.
Figure 9-5: Medium-rated Suspicious Behavior alert
Medium-rated Suspicious Behavior alerts inform you that a trusted program is trying to perform an action that may change the default behavior of a program. For example, if a program were to modify your browser’s home page, you would see a Medium-rated Suspicious Behavior alert. High-rated Suspicious Behavior alerts, in contrast, inform you that an unknown program is attempting behavior that may cause programs or your operating system to stop functioning normally, or which could be spyware trying to monitor your activity. Because even legitimate programs may sometimes need to perform High-rated Suspicious behavior, you will need to base your decision to allow or deny the action on your knowledge of the program. If the program is one you use frequently, and the action seems reasonable given the functionality of the program, it
A description of the detected behavior.
The filename of the appli-cation attempting the behavior.
Select this check box to allow or deny this action in the future without alerting you.
Click More Info to submit alert data to SmartDefense Advisor.
Chapter 9: Alerts and Logs About ZoneAlarm security software alerts
may be safe to allow it. If you are unsure, click More Info, to submit the program information to SmartDefense Advisor.
Figure 9-6: High-rated Suspicious Behavior alert
For more information about OSFirewall alerts and the types of behavior detected, see Appendix D,“Program behavior,” starting on page 267.
A description of the detected behavior.
The filename of the appli-cation attempting the behavior.
Select this check box to allow or deny this action in the future without alerting you.
Click More Info to submit alert data to SmartDefense Advisor.
Chapter 9: Alerts and Logs About event logging
About event logging
By default, ZoneAlarm security software creates a log entry every time traffic is blocked, whether an alert is displayed or not. Log entries record the traffic source and
destination, ports, protocols, and other details. The information is recorded to a text file named ZALOG.txt, stored in the Internet Logs folder. Every 60 days, the log file is archived to a dated file so that it doesn’t become too large.
You can choose to prevent specific categories of events from being logged—for example, you may want to create log entries only for firewall alerts, or suppress entries for a particular type of Program alert. You can also have ZoneAlarm security software log specific types of traffic you have decided to allow, by creating expert rules with tracking features enabled.
Chapter 9: Alerts and Logs Setting basic alert and log options
Setting basic alert and log options
Basic alert and log options let you specify the type of event for which ZoneAlarm security software displays an alert and for which events it creates a log entry.
Setting the alert event level
The Alert Events Shown control, in the Main tab of Alerts & Logs, lets you control the display of alerts by rating. Program and ID Lock alerts are always displayed, because they ask you to decide whether to grant permission.
To set the alert event level:
1. Select Alerts & Logs|Main.
2. In the Alert Events Shown area, select the desired setting.
Setting event and program logging options
Use the Event Logging and Program Logging areas to choose what types of informational alerts and program alerts will be logged.
To enable or disable event logging and program logging:
1. Select Alerts & Logs|Main.
2. In the Event Logging area, select the desired setting.
3. In the Program Logging area, specify the log level.
High Displays an alert for every security event that occurs, both high-rated and medium-rated.
Med Displays only high-rated alerts, which are most likely a result of hacker activity.
Off Displays Program and ID Lock alerts only. Informational alerts are not displayed.
On Creates a log entry for all events.
Off No events are logged.
High Creates a log entry for all program alerts.
Med. Creates a log entry for high-rated program alerts only.
Off No program events are logged.
Chapter 9: Alerts and Logs Controlling the number of alerts
Controlling the number of alerts
You can specify whether you want to be alerted to all security and program events, or if you only want to be notified of events that are likely a result of hacker activity.
If you want to suppress most alerts while playing a computer game, see “Game Mode,”
on page 174.
Showing or hiding firewall alerts
The Alert Events tab gives you more detailed control of alert display by allowing you to specify the types of blocked traffic for which Firewall and Program alerts are displayed.
To show or hide firewall or program alerts:
1. Select Alerts & Logs|Main, then click Advanced.
The Alert & Log Settings dialog appears.
2. Select the Alert Events tab.
3. In the Alert column, select the type of blocked traffic for which ZoneAlarm security software should display an alert.
4. Click Apply to save your changes.
Enabling system tray alerts
When you choose to hide some or all informational alerts, ZoneAlarm security software can still keep you aware of those alerts by showing a small alert icon in the system tray.
To enable system tray alerts:
1. Select Alerts & Logs|Main.
2. Click Advanced, then click the System Tray Alert tab.
3. Select the Enable system tray alert icon check box.
Chapter 9: Alerts and Logs Game Mode
Game Mode
Game Mode temporarily suppresses most ZoneAlarm security software scans, product updates, and alerts, so that you can play games on your computer with fewer
interruptions. Game Mode lets you temporarily allow or deny all program permission requests, so that ZoneAlarm security software can answer such requests automatically without displaying alerts. Automatic scans and product updates are postponed until you deactivate Game Mode. Game Mode remains active until you turn it off, or until you turn off ZoneAlarm security software or your computer.
Game Mode suppresses all Informational alerts and all alerts in which you are prompted to make a decision. This includes alerts caused by Ask settings in the Programs List, such as permission alerts triggered by programs trying to send mail or act as servers. It also includes OSFirewall alerts, which prompt you to allow or deny behavior considered unusual or suspicious. ID Lock alerts and Outbound Mailsafe alerts are also suppressed.
Game Mode settings do not override Block or Allow settings in your Programs List. If you have configured ZoneAlarm security software to always block a specific program, it continues to block that program even if you activate Game Mode with a setting of Allow.
The use of Game Mode may reduce the security of your system. If you choose to allow all permission requests, you may increase the chances of a malicious program harming your computer or gaining access to your data. If, on the other hand, you choose to deny all requests, you may interrupt the functions of a legitimate program. You should therefore activate Game Mode only for the duration of your game.
To turn Game Mode on:
1. Right-click on the system tray icon, and choose Game Mode...
2. In the Activate Game Mode dialog that appears, click one of the following:
Answer all alerts with “allow”—Permission requests will be granted.
Answer all alerts with “deny”—Permission requests will be denied.
3. Leave the Activate Game Mode dialog open or minimize it, but do not close it.
While Game Mode is on, ZoneAlarm security software displays a special icon in the system tray ( ).
If you close the Activate Game Mode dialog, you turn Game Mode off.
Chapter 9: Alerts and Logs Game Mode
To turn Game Mode off:
Note that Game Mode is automatically deactivated if you turn off your computer or if you turn off ZoneAlarm security software.
Do one of the following:
• Close the Activate Game Mode dialog by clicking either Cancel or the Close icon (x) at upper right.
• Click Stop Game Mode in the Activate Game Mode dialog.
•Right-click the system tray icon and choose Stop Game Mode.
Chapter 9: Alerts and Logs Setting event and program log options
Setting event and program log options
You can specify whether ZoneAlarm security software keeps record of security and program events by enabling or disabling logging for each type of alert.
Formatting log appearance
Use these controls to determine the field separator for your text log files.
To format log entries:
1. Select Alerts & Logs, then click Advanced.
The Advanced Alerts and Log Settings dialog appears.
2. Select the Log Control tab.
3. In the Log Archive Appearance area, select the format to be used for logs.
Customizing event logging
By default, ZoneAlarm security software creates a log entry when a high-rated firewall event occurs. You can customize Firewall alert logging by suppressing or allowing log entries for specific security events, such as MailSafe quarantined attachments, Blocked non-IP packets, or Lock violations.
To create or suppress log entries based on event type:
1. Select Alerts & Logs|Main.
2. Click Advanced.
The Advanced Alerts and Logs dialog box appears.
3. Select Alert Events.
4. In the Log column, select the type of event for which ZoneAlarm security software should create a log entry.
5. Click Apply to save your changes.
6. Click OK to close the Alert & Log Settings dialog.
Customizing program logging
By default, ZoneAlarm security software creates a log entry when any type of Program
Tab Select Tab to separate fields with a tab character.
Comma Select Comma to separate fields with a comma.
Semicolon Select Semicolon to separate log fields with a semicolon.
Chapter 9: Alerts and Logs Viewing log entries
To create or suppress log entries based on event type:
1. Select Alerts & Logs|Main.
2. In the Program Logging area, click Custom.
3. In the Program Logs column, select the type of event for which ZoneAlarm security software should create a log entry.
4. Click Apply to save your changes.
5. Click OK to close the Alert & Log Settings dialog.
Viewing log entries
You can view log entries two ways: in a text file using a text editor, or in the Log Viewer.
Although the format of each type of log differs slightly, the general information contained in the log is the same.
To view the current log in the Log Viewer:
1. Select Alerts & Logs|Log Viewer.
2. Select the number of alerts to display (from 1 to 999) in the alerts list.
You can sort the list by any field by clicking the column header. The arrow (^) next to the header name indicates the sort order. Click the same header again to reverse the sort order.
3. Select the type of alert you want to view:
Anti-spyware Displays the Date, Type, Spyware name, Filename, Action, and Actor columns.
Anti-virus Displays the Date/Time, Type, Virus Name, File Name, Action Taken, Mode, and E-mail Info columns.
Firewall Displays the Rating, Date/Time, Type, Protocol, Program, Source IP, Destination IP, Direction, Action Taken, Count, Source DNS, and Des-tination DNS columns.
IM Security Displays the Date/Time, Type, Source, Program, Local User, Remote User, and Action columns.
OSFirewall Displays the Rating, Date/Time, Type, Subtype, Data, Program, Direc-tion, Action Taken, and Count columns.
Program Displays the Rating, Date/Time, Type, Program, Source IP, Destination IP, Direction, Action Taken, Count, Source DNS, and Destination DNS columns.
Spy Site Blocking
Displays the Date/Time and the site that was blocked.
Chapter 9: Alerts and Logs Viewing log entries
The Log Viewer shows security events that have been recorded in the ZoneAlarm security software log. To view details of Log Viewer fields for each alert type, refer to the Firewall, Program Control, Anti-virus, and IM Security chapters.
Field Information
Description A description of the event.
Direction The direction of the blocked traffic.
“Ining” means the traffic was sent to your com-puter. “Outgoing” means the traffic was sent from your computer.
Type The type of alert: Firewall, Program, ID Lock,
or Lock Enabled.
Source DNS The domain name of the computer that sent
the traffic that caused the alert.
Source IP The IP address of the computer that sent the
traffic that ZoneAlarm security software blocked.
Rating Each alert is high-rated or medium-rated.
High-rated alerts are those likely to have been caused by hacker activity. Medium-rated alerts are likely to have been caused by unwanted but harmless network traffic.
Protocol The communications protocol used by the
traffic that caused the alert.
Action Taken How the traffic was handled by ZoneAlarm
security software.
Destination DNS The domain name of the intended addressee of the traffic that caused the alert.
Destination IP The address of the computer the blocked traffic was sent to.
Count The number of times an alert of the same
type, with the same source, destination, and protocol, occurred during a single session.
Date/Time The date and time the alert occurred.
Program The name of the program attempting to send
or receive data. (Applies only to Program and ID Lock alerts).
Table 9-6: Log viewer fields
Alerts and Logs Viewing the text log
Alerts and Logs Viewing the text log